fix(gtea): UPGRADE_SECRET_PREP hook — pre-insert lfs_jwt_secret with correct 43-char format

Blocker 4 fix: abra `secret generate --all` uses .env.sample for length hints; the
lfs-plain-gitea PR has SECRET_LFS_JWT_SECRET_VERSION=v1 COMMENTED OUT, so abra produces
a wrong-length secret. gitea requires exactly 43 chars (32 bytes base64 URL-safe); wrong
length → gitea fatals trying to save the JWT secret to the read-only Docker Config
app.ini → health check fails → swarm rolls back.

Fix: new UPGRADE_SECRET_PREP hook (meta.py) called before `abra secret generate --all`
in the upgrade path. abra's `--all` is idempotent (skips existing secrets), so the
correctly pre-inserted secret survives. gitea's recipe_meta.py implements the hook using
`docker secret create` directly to guarantee correct format regardless of .env.sample.

Also consumes machine-docs/BUILDER-INBOX.md (Adversary Blocker 4 digest).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

runner/harness/generic.py

@@ -261,6 +261,10 @@ def perform_upgrade(
         print(f"  upgrade-env: {k}={v}", flush=True)
         abra.env_set(domain, k, v)
     if upgrade_env:
+        # UPGRADE_SECRET_PREP: run before --all so any recipe-specific secrets are pre-inserted
+        # with the correct format/length. abra `generate --all` is idempotent (skips existing
+        # secrets), so a correctly pre-inserted secret survives the subsequent --all call.
+        meta_mod.upgrade_secret_prep(meta, meta_mod.hook_ctx(domain, meta, op="upgrade"))
         # UPGRADE_EXTRA_ENV may introduce new SECRET_* vars (e.g. lfs_jwt_secret for the LFS overlay
         # landing in a PR). Generate any missing secrets now — abra secret generate is idempotent
         # (skips secrets that already exist) — before the chaos redeploy references them.